CVE-2025-60179

The Click & Tweet plugin for WordPress suffers from an Improper Neutralization of Input During Web Page Generation vulnerability, specifically Stored Cross-Site Scripting (XSS), affecting versions from n/a through 0.8.9 [1]. The root cause is the failure to properly sanitize user-supplied input before it is stored and later rendered in web pages, allowing arbitrary script injection [1].

Exploitation

An attacker with the necessary privileges (e.g., a contributor or higher role) can inject malicious payloads that are stored by the plugin. While the attacker initiates the injection, successful exploitation requires an administrator or other privileged user to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form [1]. This interaction triggers the execution of the injected script in the context of the vulnerable site.

Impact

Upon successful exploitation, an attacker can execute arbitrary JavaScript in the browsers of visitors to the affected website. This can be leveraged to perform redirections, display advertisements, steal session cookies, or deliver other HTML payloads [1]. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Mitigation

Users are strongly advised to update the Click & Tweet plugin to a patched version as soon as possible. If an immediate update is not feasible, site owners should contact their hosting provider or a web developer for assistance. The vendor has not released a fix beyond version 0.8.9, so upgrading to a newer, unaffected version or removing the plugin is recommended [1].